5 Replies Latest reply: Jun 21, 2012 2:43 PM by Mike Pomraning RSS

SSL certificate

Kelvin Davis

Hey,

 

Would anybody be able to tell us why our SSL certificate is failing PCI scans? Qualys PCI reports: "Server Supports Weak Encryption Vulnerability (QID: 38140)"

 

However when I check mail.aqualisa.co.uk (redirects to https) on www.digicert.com/help it reports "Signature algorithm = SHA1 + RSA (good)"

 

Any pointers would be very helpful thank you.

 

Regards,

Kelvin

  • Re: SSL certificate
    Keith Shaw

    To fix this vulnerability you will need to change your server configuration to not allow connections with weak encryption.  Try running an SSL Server Test to find out what protocols and cipher suites your server supports.

     

    Cheers,

    Keith

    • SSL certificate
      Tuan Phan

      The tool that you provided to do the SSL analysis is for external domains. Do you have tool to that same tool for internal use?

      • SSL certificate
        Mike Pomraning

        Tuan,

         

        A VM subscription can provide almost all of the functionality of SSL Labs' external scans, as described here:  https://community.qualys.com/thread/10275

         

        -Mike

        • SSL certificate
          Tuan Phan

          Mike,

           

          We do have a VM subscription and we could not find a way to resolve the > SSL Server Supports Weak Encryption Vulnerability (QID: 38140). We don’t know what the scan is looking for nor do we have any experience in setting those cipher parameters. We are not seeking for Certification checking nor checking to see of any of them expired\soon to expire. The SSL Server Test is good for external, but what about internal? overall what is the solution to remediate QID 38140. Thank you

          • SSL certificate
            Mike Pomraning

            Tuan,

             

            The KnowledgeBase entry for QID 38140 under the Threat section identifies LOW grade ciphers as those with a small key length.  Under the Solution section it proposes some common configuration options for Apache and Tomcat, and provides links for IIS configuration.

             

            (If memory serves, the UNIX command-line client openssl can also be asked to produce a list of LOW grade ciphers as follows: openssl ciphers LOW.  Any ciphers that appear there probably ought be suppressed from your servers.  Now, your openssl build might not have exactly the same cipher list as the current scanner, but it's a place to start if the KnowledgeBase suggestions aren't appropriate.)

             

            -Mike